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Abstract 

ODRL is a popular XML-based language for stating the conditions under which 
resources can be accessed legitimately. The language is described in English and, as 
a result, agreements written in ODRL are open to interpretation. To address this 
problem, we propose a formal semantics for a representative fragment of the language. 
We use this semantics to determine precisely when a permission is implied by a set 
of ODRL statements and show that answering such questions is a decidable NP-hard 
problem. Finally, we define a tractable fragment of ODRL that is also fairly expressive. 

1 Introduction 

ODRL, the Open Digital Rights Language [Iannella 2002], is an XML-based language for 
stating the conditions under which resources can be accessed legitimately. For example, in 
ODRL, an author can write "Anyone who pays five dollars may download my latest eBook 
'How to Get Rich in Five Dollar Increments' ". As another example, Pixar can say "The 
Disney Corp. has the exclusive right to distribute the movie 'Finding Nemo' ". Although 
there are many languages that can capture these types of statements, ODRL is particularly 
interesting because it has been endorsed by nearly twenty organizations including 

• Nokia, a multi-industry conglomerate focused on mobile communications; 

• the DAFNE project (District Architecture for Networked Editions), a research project 
funded by the Italian Ministry of Education, University and Research to develop a 
prototype of the national infrastructure for electronic publishing in Italy; 

• the RoMEO Project (Rights MEtadata for Open archiving), created to investigate 
rights management of "self-archived" research in the United Kingdom academic com- 
munity. 

ODRL developers are currently working with a number of communities, including Creative 
Commons and Dublin Core, to address their needs. The complete list of supporters and on- 
going projects can be found at www. odrl .net; however, this small sample already illustrates 
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the widespread impact that ODRL has on rights management. The success of these projects 
depends on ODRL. 

Unfortunately, ODRL does not have formal semantics. The meaning of the statements 
is described in English and, as a result, agreements written in ODRL are open to interpre- 
tation. For example, suppose that Alice owns two printers, Printer One and Printer Two, 
and Bob is a potential user. To regulate Bob's access to the printers, Alice and Bob write 
an agreement in ODRL that says only this: Bob is permitted to use Printer One or Bob 
is permitted to use Printer Two. The agreement clearly allows Bob to use at least one 
of the printers, but it does not say which one. If Alice assumes the choice is hers, since 
the agreement does not say otherwise, and Bob believes the choice is his, since the agree- 
ment arguably implies this, then Alice and Bob disagree on the meaning of the agreement. 
Moreover, because this type of underspecification is possible in ODRL, they cannot use the 
ODRL specification to resolve the dispute. 

To address this problem, we propose a formal semantics for ODRL and define when 
a permission (or prohibition) follows from a set of ODRL statements. To the best of our 
knowledge, we are the first to do this. When giving the language formal semantics, we had 
to resolve the ambiguities in the specification. Most of the aspects were clarified through 
discussions with Renato Iannella, editor of the ODRL specification and Chief Scientist at 
IPR systems at the time of its release. Unfortunately, he could not answer all of our 
questions because some of them revealed subtleties in the language that had not been 
considered previously. While discovering such subtleties is one of the rewards for trying to 
give a language formal semantics, these issues must be resolved before semantics can be 
given. So, when necessary, we have highlighted ambiguities and then taken our best guess. 

We give formal semantics to ODRL by defining a translation from the key components 
in ODRL to formulas in a fragment of many-sorted first-order logic with equality. We 
use first-order logic because the formal methods community has proposed several policy 
languages that are fragments of first-order logic (see, for example, Cassandra [Becker and 
Sewell 2004], Lithium [Halpern and Weissman 2003], Delegation Logic [Li et al. 2003], the 
RT (Role-based Trust-management) framework [Li et al. 2002], Binder [DeTreville 2002], 
SD3 [Jim 2001], and FAF (Flexible Authorization Framework) [Jajodia et al. 2001]), and 
a translation exists for XrML [Halpern and Weissman 2004], another popular XML-based 
language. So the translation from ODRL to first-order logic facilitates comparisons between 
the languages and helps us apply previous results to ODRL. In addition, because first-order 
logic is highly expressive, we are hopeful that, if ODRL is extended, then the translation 
can be extended in a natural way. 

The formal semantics can be used as a foundation for answering queries. For example, 
answering a query of the form "Does a particular permission (or prohibition) follow from 
a set of ODRL statements" corresponds to deciding whether the translation of the state- 
ments implies the permission (or prohibition). Answering this particular type of query is of 
obvious practical importance. Unfortunately, we show that the problem is NP-hard. The 
intractability result is due, at least in part, to a component that is not clearly defined in 
the specification and seems to require further consideration by the language developers. If 
we remove this troublesome construct, then we can answer our queries in polynomial time. 

The rest of this paper is organized as follows. In the next section, we present a represen- 
tative fragment of ODRL. In Section 3, we give a semantics to this fragment by translating 
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expressions in the language to formulas in first-order logic. In Section 4, we define when a set 
of ODRL statements imply a permission (or prohibition); show that determining whether 
a particular implication holds is, in general, NP-hard; and find a tractable fragment of the 
language. We give a general critique of ODRL, along with suggested improvements, in 
Section 5. We conclude in Section 6. 

2 The ODRL Language 

In this section, we describe ODRL by giving an abstract syntax for a representative fragment 
of the language. Using this abstract syntax, rather than the XML-based syntax of ODRL, 
simplifies the presentation and discussion of our semantics. To illustrate the differences 
between the two notations, consider the statement "If Mary Smith pays five dollars, then 
she is allowed to print the eBook 'Treasure Island' twice and she is allowed to display it on 
her computer as many times as she likes" . (A similar expression is discussed in [Guth et al. 
2003].) We can write the statement in ODRL as 

<agreement> 

<asset> <context> <uid> Treasure Island </uid> </context> </asset> 
<permission> 
<display> 

<constraint> 

<cpu> <context> <uid> Mary's computer </uid> </context> </cpu> 
</constraint> 
</display> 
<print> 

<constraint> <count> 2 </count> </constraint> 
</print> 
<requirement> 

<prepay> 

<payment> <amount currency="AUD"> 5 . 00</amount> </payment> 
</prepay> 
</ requirements 
</permission> 

<party> <context> <name> Mary Smith </name> </context> </party> 
</agreement> 

In our syntax, we write the statement as 

agreement 

for Mary Smith 
about Treasure Island 

with prePay[5.00] — ► and[cpu[Mary's Computer] display, 

count[2] print]. 

Our syntax is given in Figures 1 and 2. We now discuss its main features and then present 
a summary of the key differences between our syntax and that of ODRL. 

The central construct of ODRL is an agreement. An agreement says that a principal 
(i.e., an agent or a group) prin u is allowed to access an asset according to a set of policies 
(i.e., rules). Typically, prin u is called the agreement's user. For example, suppose that 
an agreement says "Alice is allowed to play 'Finding Nemo', if she first pays five dollars". 
Then, the user is Alice, the asset is 'Finding Nemo', and the policy is "The user may play 
the asset, if she pays five dollars" 
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agr ::= 


agreement 


agreement 




for prin u 




about a 




with ps 




prin :: = 


principal 


s 


subject 


{prin!, . . .,prin m } 


group 


a € Assets 


asset 


s £ Subjects 


subject 


ps ::= 


policy set 


prq — ► p 


primitive policy set 


prq i — ► p 


primitive exclusive policy set 


and[ps!, . . .,ps m ] 


conjunction (m > 1) 


p ::= 


policy 




primitive policy 


and[pi, . . . ,p m ] 


conjunction (m > 1) 


act :: = 


action 


play 


play asset 


print 


print asset 


display 


display asset 


id <G PoZMs 


policy identifier 


Figure 1: 


Abstract syntax for ODRL (agreements) 



The set of principals and assets is application-dependent. For example, a digital library 
might have a principal for each patron and an asset for each publication. We assume that 
the application provides a set Assets of assets, as well as a set Subjects of subjects. The set 
of principals is defined inductively: every subject in Subjects is a principal and every group 
(i.e., set) of principals is a principal. Roughly speaking, if a policy applies to a principal 
prin, then the policy applies to every subject in prin. 

Every agreement includes a policy set. A policy set consists of a prerequisite and a 
policy. Roughly speaking, if the prerequisite holds, then the policy holds; that is, the 
policy is taken into consideration when answering questions about what is and what is not 
permitted. In addition, a policy set can be tagged as being exclusive. An exclusive policy 
set indicates that only the agreement's user (the subjects comprising the principal) may 
perform the actions regulated by the policy set; every other subject is forbidden from doing 
the regulated actions. Policy sets are closed under conjunction. Roughly speaking, this 
allows a single agreement to include multiple policy sets. 

A policy is a prerequisite, an action, and a unique identifier. If the prerequisite holds, 
then the policy says that the agreement's user may perform the action to the agreement's 
asset. (We use the identifiers to simplify the translation. They are optional in ODRL.) The 
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prq ::= 
true 

cons 

req 

cond 

and\prq 1 ,...,prq m ] 
or[prq 1 ,...,prq m ] 
xor[prq 1: . . .,prq m ] 
cons ::= 
prin 

forEachMember^rai; consi, . . . , cons m ] 

count [n] 

prin (count [n]) 
req :: = 

prePay[r] 

attribution^] 

inSeq[reg 1 ,...,reg m ] 

anySeq[reg 1 ,...,reg m ] 
cond :: = 

not[ps] 

notlcons] 



prerequisite 

constraint 

requirement 

condition 

conjunction (m > 1) 
disjunction (m > 1) 
exclusive disjunction (m > 1) 
constraint 
principal 

constraint distribution (m > 1) 
number of executions (n € N) 
number of executions by prin (n £ 

requirement 

prepayment (r € R + ) 
attribution to subject s 
ordered constraints (m > 1) 
unordered constraints (m > 1) 

condition 

suspending policy set 
suspending constraint 



Figure 2: Abstract syntax for ODRL (prerequisites) 



set of policies is closed under conjunction. For simplicity, we often omit the identifier if it 
is not relevant to our examples and we restrict the set of actions to play, print, and display. 

A prerequisite is either true, a constraint, a requirement, or a condition. The prerequisite 
true always holds. For simplicity, we abbreviate policy sets of the form true — ► p as p, and 
we abbreviate policies of the form true ==> act as act. Constraints are facts that are outside 
the user's influence. For example, there is nothing that Alice can do to meet the constraint 
"The user is Bob". Requirements are facts that are typically within the user's power to 
meet. For example, Alice can meet the requirement "The user has paid five dollars" by 
making the payment. Although the distinction between constraints and requirements is not 
relevant when answering questions about what is and is not permitted, we remark that it is 
useful for other types of queries. In particular, it provides key information when determining 
what a principal can do to obtain a permission. Finally, conditions are constraints that must 
not hold. The statement "The user is not Bob" is an example of a condition. 

The set of prerequisites is closed under conjunction, disjunction, and exclusive disjunc- 
tion (i.e., under and, or, and xor). Conjunction allows a single policy or policy set to have 
multiple prerequisites. For example, we use conjunction to write the policy "If the user 
pays one dollar and acknowledges Alice as the creator of file /, then the user may copy /". 
Disjunction and exclusive disjunction are used to abbreviate policies and policy sets in a 
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natural way. For example, consider the policy "If the user pays five dollars then the user 
may watch the movie and if the user is Alice, then the user may watch the movie" . Using 
disjunction, we can abbreviate the policy as "If the user pays five dollars or the user is 
Alice, then the user may watch the movie" . 

Our fragment of ODRL includes two primitive forms of constraints user constraints and 
count constraints. A user constraint is a principal prin; a subject s meets the constraint if 
s E prin. A count constraint refers to a set P of policies, and is parameterized by an integer 
n. The constraint holds if n is greater than the number of times the user of the agreement 
has invoked the policies in P to justify her actions. If the constraint appears in a policy p, 
then P = {p}. Otherwise, the constraint appears in some policy set ps and P is the set of 
policies mentioned in ps. 

Example 2.1. Consider the following agreement: 

agreement for {Alice, Bob} about The Report with and[pi,p2], 

where p\ is count[5] => idl P r i nt an d P2 is and[Alice, count[2]] =^ id2 print. (Recall that 
and[pi,p2] is an abbreviation for the policy set true — ► and[pi,p2]-) The agreement says 
that asset The Report may be printed a total of five times by either Alice or Bob, and 
twice more by Alice. That is, if Alice and Bob have used policy p\ to justify their printing 
of The Report a\ and 61 times, respectively, then either may do so again if a\ + b\ < 5. 
Similarly, if Alice and Bob have used the policy P2 to justify printing 02 and 62 times, 
respectively, then Alice may do so again if 02 + ^2 < 5. Note that, since Bob does not 
satisfy the constraint of being Alice, 62 is 0, so the second policy amounts to giving Alice 
the permission to print The Report twice (in addition to any printings made by invoking 
other policies). I 

A count constraint that appears in a policy set is interpreted in a similar way. 

Example 2.2. Consider the following agreement: 

agreement for {Alice, Bob} about The Report with count[5] — ► and[pi,p2], 

where p\ is print and P2 is display. The agreement says that Alice and Bob may invoke policies 
pi and P2 a total of five times to justify the printing or displaying of asset The Report. That 
is, if Alice and Bob have used policy p\ to justify the print action a p and b p times respectively, 
and have used policy pi to justify the display action and bj times respectively, then either 
of them may print or display again if a p + b p + ad + bd < 5. I 

The constraint forEachMember takes a principal prin (usually a group) and a list L of 
constraints; it holds if each principal in prin satisfies each constraint in L. 

ODRL supports nested constraints, where a constraint is used to modify another con- 
straint. To illustrate how our approach can accommodate nested constraints, we support 
the constraint prin (count [n]), which is interpreted like a countfn] constraint, except that it 
applies to the principal prin rather than to the user of the agreement. Thus, the constraint 
holds if n is greater than the number of times prin has used the policies to justify her 
actions. 
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Example 2.3. Consider the following agreement: 

agreement for {Alice, Bob} about The Report with ps, 

where ps is true — ► p and p is ^4/ice(count[l]) ==>■ print. The agreement says that if Alice 
has not invoked policy p to print asset The Report, then she may do so; until she does, Bob 
may use p to print The Report any number of times. I 

Example 2.4. Consider the following agreement: 

agreement for {Alice, Bob, Charlie} about The Report with ps, 

where ps is and[{ Alice, Bob}, {Alice, Bob} (count[5\)] — ► andfpi,^]. Pi is print, and P2 is 
display. The agreement says that Alice and Bob may invoke policies p\ and P2 a total of five 
times to justify printing and displaying asset The Report. Since Charlie does not satisfy 
the prerequisite {Alice, Bob}, he cannot invoke p\ or pi- I 

There are two primitive requirements, prePay and attribution. The prePay requirement 
takes an amount of money as a parameter; it holds if the user pays the specified amount. 
The attribution requirement takes a subject s as a parameter; it holds if s is properly 
acknowledged (e.g., as the writer, producer, etc.). The set of requirements is closed under 
the inSeq construct, which says the requirements must be met in a particular order (e.g., 
acknowledge, then pay), and under the anySeq construct, which says the requirements can 
be met in any order. 

Finally, there are two types of conditions, negated constraints and negated policy sets. 
The condition notfcons] holds if and only if the constraint cons does not hold. For example, 
notL4^ce] holds if and only if the user is not Alice. Similarly, the condition notfps] holds if 
and only if the policy set ps does not hold. But what does it mean that a policy set (or, in 
particular, a policy) does not hold? Consider the policy "If Alice pays five dollars, then she 
is permitted to play 'Finding Nemo' " . There are at least two reasonable interpretations of 
when the policy does not hold. Under the first interpretation, the policy does not hold if 
Alice cannot get the permission by paying five dollars. In other words, we could interpret 
notfps] to mean that a certain set of agreements does not imply ps. A problem with 
this interpretation is that we do not know which agreements should be used to evaluate the 
condition. Under the second interpretation, which we favor, the policy does not hold if Alice 
has paid five dollars and is not permitted to play the movie. In other words, the condition 
amounts to the logical negation of the policy. We choose this interpretation because it is 
simple, fairly intuitive, and, as we shall see, leads to semantics that matches the semantics for 
negated constraints. (This is encouraging because, in the ODRL specification, the discussion 
of negated policy sets is essentially identical to the discussion of negated constraints.) 1 

Example 2.5. Consider the following agreement: 

x It is worth noting that we could modify our interpretation without contradicting the specification. 
Continuing with our example, one variation is to have the condition hold if Alice paid five dollars and is 
not explicitly permitted to play the movie. Another variation is to have the condition hold if Alice paid five 
dollars and is explicitly forbidden to play the movie. We could modify our semantics to accommodate the 
variations in a fairly straightforward way. (This can be accomplished with a validity operator; see [Halpern 
and Weissman 2004] for some details.) 
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agreement 

for {Alice, Bob} 
about ebook 

with count[10] — > and[forEachMember[{A/ice, Bob}; count[5]] =h (il display, 

forEachMember[{AZice, Bob}; count[l]] => id2 print]. 

The agreement says that Alice and Bob may each display the asset ebook up to five times, 
and they may each print it once. However, the total number of actions, either displays or 
prints, done by Alice and Bob may be at most ten. I 

Example 2.6. Consider the following agreement: 

agreement 

for {Alice, Bob} 
about latestJingle 

with i nSeqfprePay [5. 00], attribution [Charlie]] i — > (Alice (count[10]} => id play). 

The agreement says that after paying five dollars and then acknowledging Charlie, Alice 
is permitted to play the asset latestJingle up to ten times. Moreover, any subject that is 
neither Alice nor Bob is forbidden from playing latestJingle. (Bob's right is unregulated.) | 

As mentioned at the beginning of this section, the syntax presented here differs from 
the one described in the ODRL specification. The key differences are discussed below. 

Authorship. An ODRL agreement includes a principal called the owner. Roughly 
speaking, the owner is the principal who is granting the permissions that are mentioned 
in the agreement. While this information can be useful in practice (e.g., for auditing), our 
syntax does not mention the owner of an agreement because the identity of the owner does 
not affect the legitimacy of an ODRL agreement — an agreement holds regardless of who 
created it. 

Offers. In addition to agreements, ODRL includes offers, which are essentially agree- 
ments without users. Intuitively, an offer is a contract (governing the use of an asset) that 
does not apply until it is accepted by a user; once accepted, it becomes an agreement. We 
can interpret offers much as we do agreements. 

Permissions versus Policies. The ODRL specification uses the term permission to 
refer to actions, policies, and policy sets, as defined here. We introduce the distinction to 
clarify the exposition and to emphasize the two-tier structure of ODRL. Notice that it is 
the two layers in the framework that allow a prerequisite to apply to multiple policies. 

Contexts. ODRL uses contexts to assign additional information to agreements, prereq- 
uisites, and other entities. A context might include a unique identifier, a human-readable 
name, an expiration date, and so on. We represent the context elements that are included in 
our fragment directly in the syntax. Adding full contexts to our syntax is straightforward, 
but it does not add any insight. Moreover, we believe it obfuscates the main issues. 

Prerequisites. Payments and other requirements in ODRL take a number of argu- 
ments. For instance, payments can take an amount and a percentage to be collected for 
taxes. We restrict every prerequisite to at most one argument for simplicity; it is easy to 
extend our approach to include multiple arguments. As we have already mentioned, ODRL 
supports nested constraints. These can be handled in a manner similar to that used for 
prin (countfn]). 
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Sequences and Containers. In ODRL, sequences (inSeq, anySeq) and containers 
(and, or, xor) apply to a number of entities. For simplicity, we associate the three con- 
tainers with prerequisites, and associate sequences with requirements. The general case is 
a straightforward extension. In particular, the extension of containers to policies in the 
obvious way helps resolve the ambiguity discussed in the introduction; the policy "Bob may 
use Printer One or Bob may use Printer Two" gives Bob the right to use either printer as he 
chooses. According to discussions with Renato Iannella, this is the interpretation intended 
by the language developers. 

Right Holders. In ODRL, right holders have a royalty annotation, indicating the 
amount of royalty that they receive. This does not reflect an obligation on the part of the 
agreement's user, since payment obligations are captured by requirements. Instead, the 
annotations record how the payments are distributed. Since we are primarily interested 
in capturing permissions, we do not consider royalty annotations, and as a result, do not 
distinguish right holders from other principals. 

Revocation. Finally, the ODRL specification mentions revocation, however it is not 
clearly defined. A revocation invalidates a previously established agreement. Unfortunately, 
answers to key questions, such as who can revoke an agreement, under what conditions, 
and subject to what penalties, are not discussed in the ODRL specification. As it stands, a 
revocation simply indicates that an agreement has been nullified, and thus may be ignored. 

3 A Semantics in First-Order Logic 

In this section, we formalize the intuitive description of ODRL given in Section 2. Specifi- 
cally, we present a translation from agreements to formulas in many-sorted first-order logic 
with equality. For the rest of this discussion, we assume knowledge of many-sorted first- 
order logic at the level of Enderton [1972]. More specifically, we assume familiarity with the 
syntax of first-order logic, including constants, variables, predicate symbols, function sym- 
bols, and quantification, with the semantics of first-order logic, including relational models 
and valuations, and with the notion of satisfiability and validity of first-order formulas. 

We assume sorts Actions, Subjects, Assets, Pollds, and SetPolIds (for sets of policy 
identifiers), and deliberately identify a sort with the set of values of that sort. We further 
assume sorts Reals and Times; Real to represent real numbers, and Times to represent 
time. We interpret real numbers in the standard way. For simplicity, we take sort Times 
to be the nonnegative real numbers extended with the special constant oo representing 
infinity. Again, we interpret such extended nonnegative real numbers in the standard way; 
in particular, t < oo for every nonnegative real number t different from oo. 

The vocabulary includes: 

• A predicate Permitted on Subjectsx Actions x Assets. The literal Permitted(s, act, a) 
means s is permitted to perform action act on asset a. 

• A predicate Paid on Reals x SetPolIds x Time. The literal Paid(r, /, t) means an 
amount r was paid towards the policies corresponding to the set / of policy identifiers 
at time t. 
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• A predicate Attributed on Subjects x Time. The literal Attributed(s, t) means s 
was acknowledged at time t. 

• Constants of sort Pollds, SetPolIds, Subjects, and Assets; we also assume constants 
play, display, and print of sort Actions. 

• A function count : Subjects x Pollds — > Reals. Intuitively, count{s, id) is the number 
of times subject s used the policy with identifier id to justify an action. 

• Standard functions for addition (+) and comparison (<, <) of real numbers and ex- 
tended real numbers. 

Before presenting the translation, we define some useful auxiliary functions. The func- 
tion subjects returns the set all subjects appearing in a principal: 

subjects(s) = {s} 
subjects ({prin l , . . . ,prin k }) = L>i =1 subjects(prini). 

The function principals returns the set of principals that are members of a given principal; 
if the principal is a subject, the function returns the singleton set consisting of that subject: 

principals (s) = {s} 
principals ({prin 1 , . . . ,prin k }) = {prin 1 , . . . ,prin k }. 

The function ids takes a policy p, and returns the set of policy identifiers that are mentioned 
in p: 

ids(pr 1 . . . pr m => id act) = {id} 

m 

ids(and[pi, . . . ,p m ]) = |J ids(pi). 

i=i 

The translation proceeds by induction on the structure of the agreement. The translation 
is given in Figures 3 and 4; we discuss its key features below. 

An agreement is translated into a conjunction of formulas of the form: 

\/x{prerequisites(x) =>■ P(x)), 

where P(x) is itself a conjunction of formulas of the form 

prerequisites^) =>■ (-i)Permitted(x, act, a) 

and x is a variable of sort Subjects that is free in P(x). (The notation (-i)Permitted(-) 
indicates that the formula Permitted(-) might be negated.) 

The translation of a policy set ps is a formula [ps] prm "' a , where prin u is the agreement's 
user and a is the asset. A (nonexclusive) primitive policy set prq — ► p translates to 
an implication: if the user is in prin u and the prerequisite holds, then the policy holds. 
An exclusive primitive policy set is translated as a nonexclusive primitive policy set in 
conjunction with a clause that captures the prohibition (i.e., every subject that is not 
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[agreement for prin u about a with psj = \ps\ prmu ' a 

lp rq _^ pjP nn u ,a A V z((brmJ x A \prqf x ds W*™^ ^ [p]+^- a ) 
[ prg _^ p JP«n u ,a A Vx(([p"nJx A M+' prin «'°) 

AVa;(-i|[pnnJ x =>■ bt' a ) 
[and[p Sl ,...,p S jr""- a 4 AI=ib^F" n - a 

[s] x = X = s 

[{prinj, . . . ,prin fc }] x = ([prinjx V ... V [prin fc ] x ) 

[pn, act]p prm - a ± (lprq}i id} > prin "' a ) Permitted^, {act], a) 

[andfe, . . . ,p m ]t' prm "' a ^ A™ 1 b,t' Prm "' a 

[p^i • • • prq m => ld act}x' a = ^Permitted (x, {act}, a) 
[and[pi,...,p m ]p a ^A^ 1 b i p a 

[play] = pZay 
[display] = display 
[print] = print 



Figure 3: Translation of ODRL agreements 



mentioned in the agreement's user is forbidden from performing the actions). Conjunctions 
of policy sets translate to conjunctions of the corresponding formulas. (In the translation, 
we follow the convention that AI=i fi 1S true when m = 0.) Note that the translation of a 
policy set is defined in terms of a check that the user is in prin u , the translation of a policy, 
and the translation of a prerequisite. We now consider each of these in turn. The formula 
[prinja; is true if and only if the subject denoted by the variable x is in the principal prin. 

There are two translations for policies: a positive translation, where the permissions 
described by a policy are granted, and a negative translation, where they are forbidden. 
The positive translation of a policy p is a formula \p\t ,pnnu,a , where prin u is the user 
of the agreement, a is the asset, and x is the variable that ranges over the subjects. A 
policy of the form prq ==> act translates to an implication: if the prerequisite holds, then 
the subject represented by x is permitted to perform the action act on the asset a. The 
negative translation of a policy p is a formula [p]z' a , where a is the asset, and x is the 
variable that ranges over the subjects. If p is prq ==> act, then the translation says that 
x is forbidden to do act to a, regardless of whether prq holds. The positive and negative 
translations of policies are defined in terms of the translation of actions, which is simply the 
constant corresponding to the action. As with policy sets, conjunctions of policies translate 
to conjunctions of the corresponding formulas. 

The translation of a prerequisite prq is a formula \prq\ I x ' prm ' a , where / is a set of policy 
identifiers, prin is a principal, a is an asset, and x is a variable of sort Subjects. Intuitively, 
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[true]^ rm "' a 4 true 

\prin\i; pnnu ' a = \prin\ x 

[forEach Mem ber[pron; consi, cons m ]}l ,prmu,a = A( P rm',i)eP m [consJ^' prm ' a 

where P m = principals (prin) x {1, . . . , m} 
[count[n]]£ prm " , ° = {J2(id,s)eix(subjects( P rin u )) count(s, id)) < n 
brm(count[n])]^ n "' a = (J2 {ld>s)eIx(subjectsiprin)) count(s, id)) < n 

where [prePay[r]]( 4 , 4 < t" < t' A Paid(r, /, t")) 



[attribution^]]^, = < t" < t' A Attributed(s, t")) 
f\nSeq[req 1 ,...,req k ] 

Ureq^, if A; = 1 

\3t 2 . . . 3t fc (* < t 2 < • • • < t k < f A \re qi f tM A • • • A [regj^,) if > 2 
[anySeq[re 9l , . . . , re^]]^, = t$=\\™lili,v 

[notfps]]^"" 11 4 -.([psj^-a) 
[notfcons]]^""" ^ -[cons]^™"" 

[and[prvi, . . . ,^ m ]]^ 4 A^M^ 
lor[pr qi , . . .,prq m \t pnn - 4 V£ 1 M£ pri "» 

[xor[ OTl , • • ■ , ^J]^ ^ V^!(br,J^ A (Af =1 , ^r^™"")) 



Figure 4: Translation of ODRL prerequisites 



I includes (the identifier of) the policies that are implied by the prerequisites and prin 
is the principal to which the prerequisites apply (the agreement's user, unless overridden 
within a forEach Member constraint). A Boolean combination of prerequisites translates 
to the Boolean combination of the formulas obtained by translating each prerequisite in 
turn. A user constraint prin translates to a formula that is true if the current subject 
a: is a member of prin. The translation of the other constraints is more complicated. A 
forEach Member constraint translates to a formula that is true if, intuitively, each constraint 
in forEachMember is met by each subject mentioned in the constraint (i.e., each member). 
A constraint count [n] translates to a formula that is true if the subjects mentioned in prin u 
have invoked the policies identified in / a total of i times where i is less than n. Similarly, 
a prin (count [n]} constraint translates to a formula that is true if the total number of times 
that a subject in prin has invoked a policy whose identifier is in / is less than n. 

Requirements have a significantly different translation than other prerequisites because 
of their dependence on time (e.g., inSeq[prePay[r], attribution [s]] holds if r is paid before s 
is acknowledged). To handle time correctly, we translate \req\x Pnn ' a to [reg]o i00 , where 
\req\l t , is an auxiliary translation that returns a formula that is true if the events specified 
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by requirement req occur within the interval of time between t and t'. If req is a primitive 
requirement (i.e., a payment or attribution), then we translate [reg]^, to a formula that 
is true if the relevant payment or attribution occurred at some time between t and t'. An 
inSeq requirement is satisfied if there exists appropriate successive times between t and t' 
at which each subrequirement is satisfied. Similarly, an anySeq requirement is satisfied if 
the subrequirements are satisfied in an arbitrary order (possibly simultaneously) between 
times t and t'. 

Conditions are translated by negating the translation of either the policy set or the 
constraint specified as the argument. Recall that, in ODRL, we can capture statements 
such as "If Alice is not permitted to print the report, then she is permitted to display it". 
We can also write "If Alice is permitted to print the report, then she is permitted to display 
it", since xor[true, nothps]] is equivalent to ps. It follows from our semantics that the first 
statement alone gives Alice the display permission if she is explicitly forbidden to print the 
report; the two statements together imply that Alice may display the report, regardless of 
which print permissions are granted or denied. 

Another subtlety arises in the interpretation of sequence requirements, particularly 
nested sequence requirements. To illustrate the issue, consider the nested requirement 
anySeq[\r\Seq[req 1 , req 2 ], req 3 ]. What are the allowed sequences of requirements req 1 , req 2 , 
and reg 3 ? One possibility, the one we adopt, is that inSeqfreq^, req 2 ] is met if reg 1 happens 
before req 2 . Thus, the following sequences are allowed: req 1 req 2 req 3 , req x req 3 req 2 , and 
req 3 req 1 req 2 . Alternatively, one could say that inSeq[reg 1 , req 2 ] is met if req 1 and req 2 
happen consecutively. Under this interpretation, only the following sequences are allowed: 
req 1 req 2 req 3 and req 3 req 1 req 2 . We can capture this last interpretation by taking: 



3i 2 . . . 3t fc (t < t 2 < ■ • • < t k < f A \f neSk (lreq n{1) ]l t2 A • • • A [m^ (fc) ]^,) if A; > 2, 



where S/. is the set of all permutations of sets of k elements. 

Our translation is admittedly complex, however it is not clear that a more simple trans- 
lation is possible due to the distributed nature of agreements (e.g., a count constraint can 
implicitly refer to policy identifiers that occur throughout the enclosing policy set). To 
conclude this section, we translate Examples 2.5 and 2.6 from Section 2. 

Example 3.1. The agreement in Example 2.5 

agreement 

for {Alice, Bob} 
about ebook 

with count[10] — ► and[forEachMember[{AZice, Bob}; count[5]] => idl display, 

forEachMember[{AZice, Bob}; countfl]] =hd 2 print] 

translates to the formula 



[anySeq[reg l5 . . . , req k ]\l t , = 




if k = 1 
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Vx((x = Alice V x = Bob) 

count(Alice, id\) + count(Alice, id 2 ) + count(Bob, id\) + count(Bob, id 2 ) < 10 
((count (Alice, id\) < 5 A count(Bob, id\) < 5) 

Permitted (x, display, ebook))/\ 
((count (Alice, id 2 ) < 1 A count(Bob, id 2 ) < 1) 
Permitted (x, print, ebook))). 



Example 3.2. The agreement in Example 2.6 

agreement 

for {Alice, Bob} 
about latestJingle 

with i nSeqfprePay [5. 00], attribution [Charlie]] i — > (Alice (count [10]} play) 

translates to the formula 

Vx((x = Alice V x = Bob) 

3ti3* 2 (ti < t 2 A Paid(5.00,ti) A Attributed(CW«e, t 2 )) 

(x = AZice A count(Alice, id) < 10 =>■ Permitted(x, p/ay, latestJingle)) A 
(-<(x = Alice V x = So&) => -iPermitted(x, p/ay, latestJingle))). 



These examples illustrate that, despite the complexity of the translation, the structure 
of formulas obtained from the translation follows closely that of the agreements. 



4 Queries 

Our formal semantics provides a foundation for reasoning about agreements in a rigorous 
way. Because of their obvious usefulness, we focus on queries of the form "may subject s 
do action act to asset a" . In this section, we formally define such queries; then we examine 
the complexity of answering them. 

4.1 Formal Definition 

Whether a permission (or prohibition) holds depends on the agreements that have been 
created, as well as certain facts about the application. For our fragment of ODRL, the 
relevant facts are which payments have been made, which acknowledgments have been 
given, and the number of times each policy has been used to justify an action. We encode 
this information in an environment, which is a conjunction of positive ground literals, each 
of the form Attributed(s, t) or Paid(s, t), and equalities of the form count(s, id) = n. 
Based on the type of information stored in the environment (both for our fragment and for 
all of ODRL), it seems reasonable to make a form of closed-world assumption: we assume 
all environment facts are known. That is, if a positive Permitted-free ground literal is 
not a conjunct of the environment then we assume it does not hold, with two exceptions. 
First, if there is a subject s and policy identifier id such that no conjunct of E has the form 
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count(s, id) = n, then we assume count(s, id) = 0. Second, if the environment together 
with the standard interpretation of =, <, and < imply that a positive literal holds, then we 
assume that it does. For example, if s and s' are subjects; id and id' are policy identifiers; 
and no conjunct of E has the form count(s, id) = n or count (s' ', id') = n, then we assume 
count(s, id) = 0, count (s' , id') = 0, and count(s, id) = count(s', id'). 

Suppose that we are interested in determining whether a set A of agreements imply that 
a subject s may do action act to asset a in environment E. We represent such a query as 
a tuple (A, s, act, a, E). Answering the query corresponds to establishing the validity of a 
formula with respect to a particular class of models. Recall that a Herbrand model is a 
model whose domain consists of the closed terms in the language. We are interested only in 
Herbrand models that agree with the environment and that interpret the symbols =, <, and 
< in the standard way; that is, they satisfy the axioms of real closed fields [Tarski 1951] over 
the sorts Reals and Times — in the latter case, the axioms extended with the obvious axioms 
to deal with oo. These axioms include, for instance, the reflexivity of equality, Vx.(x = x), 
and the monotonicity of addition, Vx, y, z.{x < y =>■ x + z < y + z). Moreover, we want the 
models to enforce the closed-world assumption on environments. Given an environment E, 
let T(E) be the set of formulas made up of E itself, the real closed fields axioms (extended 
to deal with oo), and formulas count(s, id) = for every subject s and policy identifier id 
such that count(s, id) is not a conjunct of E. Intuitively, these are the formulas directly 
"implied" by the environment. Given a query q = (A, s, act, a, E), define a model M to be 
E-relevant if: 

(1) the domain of M consists of the closed terms in the language; 

(2) M satisfies every formula in T{E); 

(3) for every positive Permitted-free ground literal I that holds in M, the model M' 
that is identical to M except that it does not satisfy £ does not satisfy every formula 
in F{E). 

Because an environment consists only of positive facts, an environment E is inconsistent 
if and only if E has two conjuncts count(s, id) = n\ and counties, id) = with rt\ / ri2- 
Thus, an environment E is consistent if and only if there exists an .E-relevant model. When 
evaluating a query q = {A, s, act, a, E), we consider only those models that are E-relevant. 
A formula is E-valid if it holds in every E-relevant model. 

We now have the necessary foundation to give an answer to a query q = (A, s, act, a, E). 
Define the formulas: 

fq= y\ \agr\ Permitted(s, act, a) 

agr&A 

fq — f\ \agr\ =¥■ ->Permitted(s, act, a). 

agr^A 

The answer to the query depends on the E- validity of /+ and /~ . 

• If both /+ and f~ are E-valid, then either the environment is inconsistent, in which 
case all formulas are E-valid, or the agreements are inconsistent in the environment. 
Either way, an appropriate answer to the query seems to be "Query inconsistent" . 
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• If /+ is invalid and /~ is not, the answer is "Permission granted" because, roughly- 
speaking, the permission necessarily follows from the agreements in the given envi- 
ronment. 

• Similarly, if /~ is E- valid and /+ is not, then the answer is "Permission denied". 

• Finally, if neither /+ nor /~ is valid, then the agreements in the given environment 
do not imply that the permission is granted, nor do they imply that the permission 
is denied. So the answer is "Permission unregulated" . 

4.2 Complexity 

We now consider the computational complexity of answering queries. It turns out that 
we can create an algorithm that takes a query and returns the correct answer; however, it 
seems unlikely that any algorithm will run efficiently on all input. The relevant result is 
the following. 

Theorem 4.1. The problem of deciding, for a query q = (A, s, act, a, E), whether /+ 
is E-valid is decidable and NP-hard. Similarly, the problem of deciding, for a query q = 
(A, s, act, a, E), whether f~ is E-valid is decidable. 

Proof. See Appendix A. I 

Since answering a query q amounts to determining the E- validity of and /~ , the first of 
which cannot be done efficiently, answering a query cannot be done efficiently. 

The proof of Theorem 4.1 in Appendix A suggests that the intractability result holds, 
at least in part, because ODRL includes conditions of the form not[ps], where ps is a policy 
set. It might be possible to modify our translation, and thus the meaning, of not[ps] in such 
a way that the revised semantics matches the specification and answering queries in the 
revised language is a tractable (i.e., solvable in polynomial time) problem. This is because, 
as discussed in Section 2, the description of not[ps] in the ODRL specification is open to 
interpretation. However, tweaking the semantics to get a desired complexity result seems 
somewhat dubious. In addition, it is not clear that finding the largest tractable fragment of 
ODRL, as we have interpreted the language, is interesting because, having discovered that 
a component of the language is not clearly specified and a natural interpretation leads to 
intractability, it seems likely that the meaning of that component will be revised. Since we 
cannot know beforehand what the revision will be, we restrict our attention to the fragment 
of ODRL that does not include conditions of the form not[ps]. 

Let Qi be the set of queries (A, s, act, a, E) such that no agreement in A mentions a pre- 
requisite of the form notfps]. We now show that we can answer a query q = (A, s, act, a, E) 
in Q\ efficiently. As a first step, we consider the special case in which the set of agreements 
is a singleton. For any expression e (either in our ODRL syntax or in first-order logic), let 
|e| be the length of e when viewed as a string of symbols. For a set A of agreements, let \A\ 
be T, agreA \ agr\. 

Lemma 4.2. There are algorithms that, given a query q = ({agr},s, act,a,E) in Q±: 
(a) determine whether /+ is E-valid in time 0(\E\ \ agrf), and 
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(b) determine whether f~ is E-valid in time 0(\E\ + |agr|). 

Proof. See Appendix A. I 

It follows from Lemma 4.2 that Q\ is tractable, provided that a permission (or prohi- 
bition) follows from a set of agreements if and only if it follows from a single agreement in 
the set. Unfortunately, this is not necessarily true. 

Example 4.3. Let A = {agr, agr'}, where agr is 

agreement for Alice about file with print 

and agr' is 

agreement for Bob about file with true — ► print. 

Observe that agr gives Alice permission to print the file and agr' forbids Alice from printing 
it, since the agreement gives Bob the right exclusively. Because the agreements contradict 
each other, /+ and /~ are -E-valid for all queries q = (A, s, act, a, E). So the answer to the 
query (A, Charlie, print, file, E) is "Query inconsistent", whereas the answer to the query 
({agr}, Charlie, print, file, E) and to the query ({agr'}, Charlie, print, file, E) is "Permission 
unregulated" . I 

If we consider only those queries in Q\ for which the set of agreements holds in at least 
one relevant model, then we get the desired results. 

Lemma 4.4. Suppose that q = (A, s, act, a, E) is a query in Q\ such that /\ agre Al a 9 r i 
is satisfied in at least one E-relevant model. For every agr € A, let q agr be the query 
({agr}, s, act, a, E). Then: 

(a) /+ is E-valid if and only if f^ agr is E-valid for some agr € A and 

(b) f~ is E-valid if and only if f~ agr is E-valid for some agr G A. 

It follows from Lemma 4.2 and 4.4 together that answering a query q = (A, s, act, a, E) 
Qi can be done efficiently, provided that AagreAl a 5 r l * s satisfied in at least one irrelevant 
model. Moreover, if this is not the case, then the query can be answered immediately. If 
l\agr&A\ a S r \ does not hold in any irrelevant model then both /+ and /~ are E-valid, so 
the answer to q is "Query inconsistent". Therefore, we can answer queries in Q\ efficiently 
provided we can quickly determine whether the agreements are satisfied in at least one 
relevant model. 

Lemma 4.5. There is an algorithm that, given a query q = (A,s, act,a,E) in Q\, deter- 
mines whether /\ agre Al a 9 r l * s satisfied in at least one E-relevant model in time 0(\E\ \A\ ). 

Proof. See Appendix A. I 

Putting all of these results together, we can derive the tractability of answering queries 
in Qi. 

Theorem 4.6. There is an algorithm that, given a query q = (A, s, act, a, E) in Q\, 
computes the answer to q in time 0(\E\ |A| 8 ). 
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Proof. First, run the algorithm of Lemma 4.5 to determine if AagreAl a 9 r } * s satisfied in at 
least one irrelevant model. This can be done in time 0(\E\ \A\ 8 ). If the result is "No", then 
return "Query inconsistent". If the result is "Yes", then use the algorithms of Lemma 4.2 
to check whether f^ r and fq agr are E-v&lid for each query q = ({agr}, s, act, a, E) such 

that agr G A. This can be done in time 0(|^| | ^4. | 7 ) : there are less than \A\ agreements in 
A, and for every agr G A, \agr\ < \A\. By Lemma 4.4, /+ is invalid if and only if f~ arg is 
E- valid for an agr G A, and similarly for /~. Thus, if /+ is E- valid for an agr G A, and 
f~ arg is not E- valid for all agr G A, then return "Permission granted". Similarly, if f~ is 
E- valid for an agr G A, and f^ arg is not E- valid for all agr G A, then return "Permission 
denied". Otherwise, return "Permission unregulated". I 

We conclude this section with a few observations. First, we suspect that the queries 
that are of practical interest have certain properties that could be used to improve the 
efficiency of our algorithms. For example, it seems unlikely that a set of agreements will 
give one principal an exclusive right and give someone else that same right (possibly under 
certain conditions). That is, if A is a set of agreements such that an agreement in A gives a 
principal prin the exclusive-right to do an action act to an asset a and another agreement 
in A gives a principal prin' the right to do act to a if certain prerequisites hold, then we 
expect that subjects (prin 1 ) C subjects (prin). A straightforward syntactic check can be used 
to verify that this is indeed the case for a particular query and, if it is, then our proof of 
Theorem 4.5 can be easily modified to show that we can do the check in time 0(|£/|). 

We conjecture that answering a query (A, s, act, a, E) in ODRL can be done efficiently, 
provided that, if an agreement in A mentions a prerequisite of the form xor[prq 1 , . . . , prq n ], 
then prq^ does not mention a prerequisite of the form not[ps], where ps is a policy set, for 
i = 1, . . . ,n. That is, we suspect that answering queries can be done efficiently provided 
that, whether a permission holds, does not depend on whether a policy set holds (although 
it can depend on whether a policy set does not hold). We believe that we can use ideas 
discussed in [Halpern and Weissman 2003] to prove this result, however, we have not checked 
the details because, as previously discussed, it is not clear that such a result is of practical 
interest. 

5 Discussion: Improving ODRL 

The process of working through the ODRL specification to derive the formal semantics 
highlighted a number of potential weaknesses in the design of ODRL. In addition to not 
having formal semantics, the ODRL specification does not discuss which agreements should 
be enforced, how conflicts should be resolved, how agreements can be revoked, and how the 
environment can be maintained. We examine these issues in turn. 

The ODRL specification does not say which agreements should be used when evaluating 
requests. The developers seem to assume that only a legitimate agent will be able to 
create a particular agreement; however, it is not clear which agents should be recognized as 
legitimate. Are there ODRL agreements that give subjects the right to create agreements? 
If so, who is allowed to write those agreements? A natural approach is simply to assume 
that everyone can write agreements; it is up to the enforcing system to determine which are 
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legitimate. A problem with this design is that an agreement might be meaningless on some 
systems and quite significant on others. For example, suppose that Bob stores his diary on 
his home machine, which assumes all agreements are legitimate, and on his work machine, 
which assumes an agreement is only legitimate if written by a manager of the company. If 
Bob's sister Alice, who is not a manager of the company, writes an agreement that gives 
her permission to see Bob's diary, then the home machine will permit the access while the 
work machine will not. 

A more satisfying approach is to define the circumstances under which an agreement is 
legitimate and require only legitimate agreements to be considered during query evaluation. 
A definition for legitimacy might say that some agreements are legitimate by fiat (e.g., any 
agreement about an asset a issued by its owner), while others are legitimate because there 
is some proof of legitimacy (e.g., an agreement about an asset a issued by subject s is 
legitimate, because the owner of a has written an agreement that gives s permission to 
regulate access to a). This is essentially the approach adopted for XrML [ContentGuard 
2001]. 

The ODRL specification does not discuss how conflicts should be resolved. For example, 
suppose that Alice gives Bob the exclusive right to distribute her movie and she gives 
Charlie the right to distribute it as well. Is Charlie allowed to distribute the movie? By the 
definition given in Section 4, the answer is "Query inconsistent" because the agreements 
are inconsistent in the environment (regardless of what the environment is). While this is 
an accurate description of the situation, it is not particularly helpful. One solution is to 
remove exclusive policy sets from the language, so that conflicts cannot occur. Another 
option is to store agreements with the relevant asset, rather than only with the users; that 
way, conflicts can be detected, and hopefully resolved between the relevant parties, as soon 
as a conflicting agreement is written. Finally, it is worth noting that, in languages such as 
XACML [Moses 2005] and FAF [Jajodia et al. 2001], conflicts are handled by requiring users 
to write overriding policies, such as "If an action is both permitted and forbidden, then it 
is forbidden" . Unfortunately, it is not exactly clear how this solution could be incorporated 
into the ODRL framework. 

The ODRL specification discusses revocation, but does not give a mechanism for revok- 
ing agreements or for checking whether an agreement has been revoked. Since prerequisites 
in ODRL can limit the time period in which a policy applies and the number of times the 
policy can be used to justify an action, it is not clear that revocation is truly necessary. 
Therefore, one solution is simply to remove all mention of revocation from the ODRL spec- 
ification. Another option is to create policies under which an agreement can be revoked 
legitimately. These policies could be part of an agreement, or could be built-in to ODRL. 
The environment could then maintain a list of revoked agreements, which would not be 
used when answering queries. 

Finally, the specification does not discuss how the environment is maintained. Holzer, 
Katzenbeisser, and Schallhart [2004] propose a solution to this problem. They associate with 
every ODRL agreement an automaton that transitions whenever the user of an agreement 
performs an action. Thus, to recast their work using our terminology, the states of the 
automaton corresponding to an agreement are what we call environments. Holzer et al. do 
not describe how to compute which actions are allowed in any given environment, however, 
they describe how to update the environment. In contrast, we do not describe how to update 
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environments, but our semantics describes how to compute which actions are permitted in 
any given environment. In this sense, the two semantics are complementary. 

6 Conclusion 

ODRL is a popular rights language with features that we have not found in other approaches. 
However, the usefulness of ODRL is limited, in part, because the language does not have 
formal semantics. To address this deficiency, we have proposed a formal semantics for 
ODRL. In the process of creating this semantics, we discovered aspects of the specification 
that should be clarified and have discussed our findings with the language developers. They 
are currently working on the next version of the language, which has formal semantics as 
one of its seven design requirements. 

In addition to giving the language formal semantics, we have considered the practical 
problem of determining whether a set of ODRL statements imply a permission or prohibi- 
tion. Using our semantics, we have formally defined the problem and shown that it is, in 
general, NP-hard. By removing a component of ODRL whose meaning seems to be some- 
what unclear, even to the developers, we can create a tractable fragment of the language. 
To prove that the fragment is tractable, we naturally created a polynomial-time algorithm 
to determine whether a set of ODRL statements imply a permission (or prohibition). To 
the best of our knowledge, this is the first algorithm for answering such queries in ODRL. 

Despite these successes, the work is far from done. We are currently collaborating with 
the language developers on the next version of ODRL. We are also interested in examining 
other types of queries, such as what, if anything, can a subject do to get a desired permission. 
Finally, we intend to do a careful comparison of ODRL and a number of other languages in 
the near future. 
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A Proofs 

In the proofs below, we use the notation C(S) for the cardinality of set S. We also use the 
notation f[t/x] for the capture-avoiding substitution of term t for variable x in formula /. 

Theorem 4.1. The problem of deciding, for a query q = (A, s, act, a, E), whether /+ 
is E-valid is decidable and NP-hard. Similarly, the problem of deciding, for a query q = 
(A, s, act, a, E), whether f~ is E-valid is decidable. 



20 



Proof. To prove decidability, we present an algorithm to determine whether /+ is invalid. 
The first step of the algorithm is to check if E is inconsistent, by simply scanning E. (Recall 
that E is inconsistent if and only if E has two conjuncts of the form count{s, id) = n and 
count(s, id) = n' with n ^ n' .) If E is inconsistent, then there are no E-relevant models, 
/+ is trivially E- valid, and the algorithm returns "Yes" . 

If E is consistent, then the set of E-relevant models is not empty, and the algorithm 
proceeds as follows. Let g be the formula obtained from /+ by replacing every subformula 
of the form \/x(h) by /\ sGS (h[s / 'x]) and every subformula of the form 3x(h) by \J S £s(h[ s / X }), 
where S is the set of variable- free terms mentioned in q that are the same sort as x. We 
claim that /+ is E- valid if and only if g is E- valid. We prove this claim by progressively 
constructing g; during this process, we consider in some detail the subformulas of the form 
\/x{h) and 3x(h) that can appear in /+. 

• Let go be the formula obtained from /+ by replacing every subformula of the form 

\fx((x = si V . . . V x = s n A g') (g" Permitted(x, act', a'))) 

by 

/\ ((x = Si V . . . V x = s n A g') {g" Permitted (x, act', a')))[s/x], 
ses 

where S is the set of variable-free terms of sort Subjects mentioned in q. Since 
{si, . . . , s n } C S, it is easy to see that /+ is E- valid if and only if go is E- valid. 

• Let X be the set of substitutions a such that, for all variables t of sort Times in 
go, o~(t) is a variable- free term of sort Times that appears in q and, for all other 
variables x, a(x) = x. Note that S is finite. Let g± be the formula obtained from go 
by replacing every formula of the form 3t\ . . . 3t n (h), where every free variable of h 
is of sort Times, with V ( tgs(^ ct )- ^ follows from the translation that, if t is a free 
variable in h, then h is a conjunction of formulas and one of those conjuncts has either 
the form Paid(r, t) or the form Attributed(s, t). It follows from the closed-world 
assumption that go is E'-valid if and only if g\ is E 1 - valid. 

• It follows from the translation that every variable remaining in g\ is of sort Subjects; 
gi includes a subformula of the form Vx(/i) if and only if h can be written as x ^ 
si A . . . A x 7^ s n =/- -iPermitted(x, act' , a'), where Sj is a variable-free term in q, for 
i = 1, . . . ,n. Let 52 be the formula obtained from g\ by replacing every subformula 
of the form \/x(h) by f\ s£S h[s/x], where S is the set of variable- free terms of sort 
Subjects mentioned in q. Note that #2 = 9- So, it remains to show that g\ is E-valid 
if and only if 52 is E-valid. The "if" direction is trivial. For the "only if" direction, 
suppose by way of contradiction that g\ is E-valid and 52 is not. Note that g\ is of 
the form g[ Permitted(s, act, a) and gi is of the form g' 2 Permitted(s, act, a) 
for appropriate formulas g[ and g' 2 . Since 52 is not E-valid, there is an E-relevant 
model M that satisfies g' 2 A -iPermitted(s, act, a). Let M' be the E-relevant model 
that is identical to M, except that the domain of M' is limited to the closed terms 
that are mentioned in q. It is easy to see that g' 2 holds in M' since the formula holds 
in M, is variable-free, and mentions only those terms that appear in q. It follows 
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from the construction of 52 that, because g' 2 holds in M', g[ holds in M'. Since, by 
construction, M' does not satisfy Permitted(s, act, a), M does not satisfy gi, which 
gives us the desired contradiction. 

Since g is variable- free, the algorithm proceeds by replacing every Permitted-free literal 
appearing in g by either true or false depending on E and the standard interpretations 
of =, < and <. Let h be the formula obtained from g by doing this replacement. Clearly, 
g is .E-valid if and only if h is invalid. Moreover, since Permitted is the only predicate 
symbol appearing in h, h is £"-valid if and only if h is valid. The algorithm determines the 
validity of h by checking if h holds for all assignments of true or false to the Permitted 
literals in h (where a positive literal i is not given the same assignment as ->£). Obviously, 
h is valid if it holds under every substitution and is not valid otherwise. 

The same strategy can be used to derive an algorithm that determines the .E- validity of 

We now reduce the 3-satisfiability problem to the problem of determining whether /+ 
is E'-valid for an appropriate query q, thereby showing that the latter problem is NP-hard. 
Let ip = C\ A. . . AC n be a formula in propositional logic, where each C% is a clause with three 
disjuncts. Without loss of generality, we assume that no conjunct Cj is valid. Let Pi,. . . P m 
be the primitive propositions mentioned in ip. We want to determine if p is satisfiable. 

Let so, • • • , s m be subjects and let a be an asset. For each conjunct d = L\ V L 2 V L3 
of if, let agr i be the agreement 

agreement for {so, . . . ,s m } about a with and[prq 1 , prq 2 , prq 3 ] display, 

where 




and[so, not[s^ => print]] if Lj is P& 

and[so, xorftrue, not[s|< =4> print]]] if Lj is -iP*.. 



Let q be the query ({agr 1 , . . . , agr n }, sq, display, a, E), where E is the empty environment 
(i.e., true). We claim that ip is satisfiable if and only if /+ is not E- valid. For every 
assignment A of truth values to Pi, ... , P m , let Ma be the E'-relevant model that satisfies 
^Permitted(sj, print, a) if and only if A assigns Pj to false or Sj = 0. It is not hard to 
show that a truth assignment A satisfies a conjunct c« of 99 if and only if Ma satisfies [agr^]. 
The key observation is that, for each conjunct C{ = L\ V L 2 V L3 of ip, we can write \agn\ 
as 

fi,i A fi,2 A /j i3 Permitted(s , display, a), 

where 

j ^Permitted(sfc, print, a) if Lj is Pk 
I Permitted(sfc, print, a) if Lj is -<Pk- 

So, if p is satisfiable, then there is a truth assignment A that satisfies <p, the model Ma 
satisfies AagreAl a 9 r l A -■Permitted(so, display, a), and, thus, /+ is not invalid. If p is 
not satisfiable then, for every truth assignment A, Ma does not satisfy some [apn], so 
Ma satisfies f+. Let Ai be the set of models M such that, for all truth assignments A, 
M / Ma- It is not hard to see that every model in M. satisfies Permitted(so, display, a), 
thereby satisfying /+. Since every Irrelevant model satisfies /+, the formula is E- valid. I 
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The following result is used in Lemmas 4.2 and 4.4. 

Lemma A.l. Suppose that f is a Permitted- free formula and E is an environment such 
that the set of E-relevant models is nonempty. Then f holds in at least one E-relevant 
model if and only if f is E-valid. 

Proof. Follows immediately from the definitions. I 

Given a policy set ps, let be the set of tuples (prq, I, prq' , id, act') such that ps 
mentions the policy set prq — > p or prq i — ► p, I is the set of policy identifiers appearing 
in p, and p mentions the policy prq' =¥ id act'. Finally, let S~ s be the set of actions such 
that an action act' is in S~ if and only if ps mentions an exclusive policy set that mentions 
a policy of the form prq ==> act'. 

Lemma A. 2. Suppose agr is an agreement of the form 

agreement for prin u about a with ps. 

Then \agr\ holds in model M if and only if 

(a) for every act' G S~ s and s' G" subjects (prin u ) , M satisfies -^Permittees' , act' , a), 
and 

(b) for every {prq, I, prq' , id, act') G S+ s and s' G subjects (prin u ) , either M satisfies 
Permittees' , act', a) or M does not satisfy \prq\ I s f nnu A lprq'J^ d ^' p " nu . 

Proof. Immediate by the definition of S+ s and S~ s and the translation [•]. | 

Lemma 4.2. There are algorithms that, given a query q = ({agr}, s, act, a, E) in Q±: 

(a) determine whether /+ is E-valid in time 0(\E\ \ agrf), and 

(b) determine whether f~ is E-valid in time 0(\E\ + \ agr\). 

Proof. Suppose that agr is an agreement of the form agreement for prin u about a' with ps. 

For part (a), we claim that {agrj =>■ Permitted(s, act, a) is -E-valid if and only if the 
set of E-relevant models is empty, or all of the following conditions hold: 

(i) s G subjects (prin u ), 

(ii) a' = a, and 

(iii) there is a tuple (prq, I, prq' , id, act) G S+ s such that \prq\ I s ' pnnu A {prq'}l ld ^ ' pnriu is 
E-valid. 

• For the "if" direction, if the set of E-relevant models is empty, then the formula 
fagr] Permitted(s, act, a) is trivially E-valid. If (i), (ii), and (iii) hold, then it is 
immediate from the translation that {agr] Permitted(s, act, a) is E-valid. 
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• For the "only if" direction, suppose by way of contradiction that the formula \agr\ 
Permitted(s, act, a) is E- valid, the set of E-relevant models is not empty, and either 
(i), (ii), or (iii) does not hold. Because the set of ^-relevant models is not empty, there 
is a model M that is E'-relevant and that satisfies Permitted(£i, t2, t$) if and only 
if t\ G subjects (prin u ), t 3 = a', and Permitted^, t%, t^) / Permitted(s, act, a), for 
all closed terms t±, t2, and £3 of the appropriate sorts. We claim that M satisfies [agr], 
thus contradicting the assumption that \agr\ =^ Permitted(s, act, a) is invalid. By 
Lemma A. 2, it suffices to show that A. 2(a) and A. 2(b) hold. A. 2(a) follows from the 
construction of M. If (i) or (ii) does not hold, then M satisfies Permitted^', act 1 , a'), 
for every tuple (prq, I, prq' , V , act') € Sp S , so A. 2(b) holds. Suppose that (iii) does not 
hold. Then, for each tuple (prq, I, prq' , I' , act') £ S+, and subject s' £ subjects(prin u ), 
either s' 7^ s, in which case M satisfies Permitted(s', act', a'); act' 7^ act, in which 
case M satisfies Permitted(s', act', a'); or s' = s, act' = act, and / = \prq\ s ' pnnu A 
\prq'\\ %d ^' pnnu is not E'-valid. It follows from Lemma A.l that / does not hold in M 
because it is Permitted- free (neither prq nor prq' mention a policy set), so A. 2(b) 
holds again. 

It follows that we can determine the E-validity of \agr\ => Permitted(s, act, a) by 
running the following algorithm: determine whether the set of E-relevant models is empty; 
if so, return "Yes", otherwise check conditions (i), (ii), and (iii); if all hold, then return 
"Yes", else return "No". The set of E-relevant models is non-empty if and only if E is 
inconsistent, which can be checked in time 0(|E|). We can check whether (i) and (ii) hold 
in time 0(\agr\). We can also compute Sp S in time 0(\agr\). Finally, the cardinality of 
Sp S is less than \agr\. We show that, for each tuple (prq, I, prq', id, act) in Sp S , we can 

determine whether lprq} I s ' p " nu A \prq'\\ %d ^ ' pnnu is E'-valid in time Od^l \agrf ), so the total 
runtime of the algorithm is 0(\E\ \agrf). 

Using the translation as a guide, we can construct an algorithm for determining whether 
\prq\ I s Pn ' lu (or \prq'\\ %d ^' pnnu ) is E- valid. The first step is to rewrite the prerequisites prq 
and prq' so that they do not contain nested forEach Member constraints. Examining the 
translation, it is clear that the constraint 

forEachMember[prm; forEachMember[prm'; cons'], cons) 

translates to a formula that is logically equivalent to the translation of 

and[forEachMember[prai; cons], forEach Member [prin'; cons']]. 

Generalizing this idea, we can rewrite, in time 0(\prq\), the prerequisite prq to an equivalent 
prq of size 0(\prq\) that does not contain nested forEachMember constraints, and similarly 
rewrite prq' to an equivalent prq' . We then apply the algorithm given in Figure 5, called 
Holds, to prq and prq' Q . The algorithm Holds returns true or false; it calls ReqHolds, which 
is given in Figure 6, and which returns the earliest time at which a given requirement holds, 
or false if the requirement never holds. The claim that Holds(prq, s, I , prin u , E) = true 
if and only if {prq}i ,prmu is E-valid is established by a straightforward induction on the 
structure of prq. We can check that the algorithm runs in time 0(|-E| |agr| 5 ) by solving 
a simple recurrence equation. (The assumption that there are no nested forEachMember 
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in prq is crucial to obtain this running time; without this assumption, the running time 
is exponential in the size of the prerequisite.) We leave the straightforward details to the 
reader. 

For part (b), we claim that {agr} =4> -iPermitted(s, act, a) is E-valid if and only if the 
set of ^-relevant models is empty or all of the following conditions hold: 

(i) s subjects (prin u ), 

(ii) a' = a, and 

(iii) agr includes an exclusive policy set that mentions a policy of the form prq => act. 

• For the "if" direction, if the set of E-relevant models is empty, then the formula 
\agr\ => ^Permitted(s, act, a) is trivially E-valid. If (i), (ii), and (iii) hold then \agr] 
can be written as a conjunction of formulas, one of which says that every subject who is 
not mentioned in prin u is forbidden to do act to a, so {agr} =4> -iPermitted(s, act, a) 
is again E'-valid. 

• For the "only if" direction, suppose that the set of E-relevant models is non-empty. 
It follows that there is an E-relevant model M such that, for all closed terms t±, 
t2, and £3 of the appropriate sorts, M satisfies -iPermitted(£i, t-z, £3) if and only if 
t\ subjects(prin u ), £3 = a', and -iPermitted(ii, tz, t%) / ^Permitted(s, act, a). 
We claim that, if (i), (ii), or (iii) does not hold, then \agr\ holds in M and, thus, 
\agr\ =4* ^Permitted(s, act, a) is not E-valid. By Lemma A. 2, it suffices to show 
that A. 2(a) and A. 2(b) hold. Since M satisfies Permitted(ii, tz, H) for all closed 
terms such that t\ € subjects {prin u ) , A. 2(b) holds. If (i) or (ii) does not hold, then 
M satisfies -iPermitted(£i, tz, £3) if and only if t\ subjects (prin u ) and £3 = a'. It 
follows that, for all subjects s' subjects (prin u ) and all actions act" £ S~ s , M satisfies 
-iPermitted(s', act", a'); so A. 2(a) holds. If (iii) does not hold, then act ^ S~ s . It 
follows from the construction of M that, for each action act" 7^ act and each subject 
s' subjects (prin u ), M satisfies -iPermitted(s', act", a'), so A. 2(b) holds. 

Thus, we can determine the invalidity of \agr\ =>■ -iPermitted(s, act, a) by running 
the following algorithm: determine whether the set of E-relevant models is empty; if so, 
return "Yes", otherwise check conditions (i), (ii), and (iii); if all hold, then return "Yes", 
else return "No" . Checking that the set of E-relevant models is empty can be done in time 
0(\E\). Checking conditions (i), (ii), and (iii) can be done in time 0(| | 

Lemma 4.4. Suppose that q = (A, s, act, a, E) is a query in Q\ such that /\ agr( zAl a 9 r i 
is satisfied in at least one E-relevant model. For every agr £ A, let q agr be the query 
{{agr}, s, act, a, E). Then: 

(a) /+ is E-valid if and only if f^ is E-valid for some agr G A, and 

(b) f~ is E-valid if and only if f~ agr is E-valid for some agr £ A. 
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Holds(prq, s, I, prin u , E) = 

if prq = true then return true 

if prq = prin then 

if s subjects (prin) then return true else return false 

if prq = forEachMember[prm, cons i, . . . , cons m ] then 
if Holds (cons i, S, I, prin' , E) is true 

for alH = 1, . . . , m and all prin' £ subjects (prin) then 
return true 
else return false 

if prq = count [n] then 
sum:= 

for each s' £ subjects (prin u ) 
for each id £ I 

if count(s, id) = n' is a conjunct of E then 
sum:=sum + n' 
if sum < n then return true else return false 

if prq = prin (count[n]} then return Holds (count [n], s, I, prin, E) 

if prq = not[cons] then return ^Holds(cons , s, I , prin u , E) 

if prq = and[prq 1 , . . . ,prq m ] then return A™ =1 Holds (prq ri , s, I, prin u , E) 

if prq = or [prqi, . . . , prq m ] then return V^ =1 Holds (prq j, s, /, prin u , E) 

if prg = xorfpn^, . . . , prq m ] then 
seenone:= false 
for z = 1, . . . , m 

if Holds (prq^, s, I , prin u , E) is true and seenone is false then 

seenone:= true 
if Holds(prq i , s, I , prin u , E) is true and seenone is true then 
return false 
return seenone 

if prg is a requirement then return ReqHolds (prq , s, I, prin u , E, 0, oo) 7^ false 



Figure 5: Algorithm Holds 



26 



ReqHolds(req, s, I, prin u , E, t, t max ) = 

if req = pre Pay [r] then 
t'— t 

L ■ — <>max 

for each conjunct I of E 

if I is of the form Paid(r, /, t") and t < t" < t' then 
t':= t" 

if t' ^ t max then return t' else return false 

if prq = attribution [s] then 
t'—t 

for each conjunct £ of E 

if £ is of the form Attributed(s, i") and t<t" < t' then 
f := f" 

if t' ^ i mffir then return t' else return false 

if prq = anySeqfre^, . . . , reg m ] then 

t':=ReqHolds(req 1 ,s, I, prin u , E, t, t max ) 

if t' ^ false then return ReqHolds(anySeq[req 2 , • • • , req m ], s, I, prin u , E, t, t max ) 
else return false 

if prq = \r\Seq[req 1 , . . . , req m ] then 

t':=ReqHolds(req 1 ,s, I, prin u , E, t, t max ) 
if t' is false then return false 

else return ReqHolds(\nSeq[req2, ... , req m \, s, I,prin u , E, t , t max ) 



Figure 6: Algorithm ReqHolds 
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Proof. For part (a), the "if" direction is trivial. For the "only if" direction, suppose by 
way of contradiction that f\ agr ^A 

\agr\ => Permitted(s, act, a) is E-valid and {agr] 
Permitted(s, act, a) is not E-valid for every agr 6 A. By assumption, there is an ir- 
relevant model M that satisfies /\ a greAl a 9 r l- Let be the model that is identical to 
M except that M' satisfies ^Permitted(s, act, a). Because M is E-relevant and M' dif- 
fers from M only on the interpretation of Permitted, M' is E-relevant. Since M 1 sat- 
isfies -iPermitted(s, act, a) and, by assumption, A a greAl a 9 r i ^ Permitted(s, act, a) is 
E- valid, there is an agreement agr in A such that M' does not satisfy [agr]. We now 
show that {agr} implies Permitted(s, act, a), which contradicts the assumptions. Be- 
cause no agreement in A mentions a condition of the form not[ps], it follows from the 
translation that we can write {agr} as Vx(/i) A • • • A \/x(f n ), where each /j is of the form 
g =^ (-i)Permitted(a;, act', a 1 ), g is Permitted-free, and both act 1 and a' are closed terms 
of the appropriate sorts. Because \agr] holds in M and does not hold in M', there ex- 
ists integer i such that fi = g => Per mitted {x, act, a) and g[s/x] is satisfied in M'. 
Since g[s/x] is Permitted-free and is satisfied in a E-relevant model, it follows from 
Lemma A.l that g[s/x] is E- valid. Putting the pieces together, we can write \agr\ as 
\/x(h A (g Permitted(x, act, a))), for an appropriate formula h, and g[s/x] is E-valid. It 
readily follows that \agr\ =4* Permitted(s, act, a) is E-valid. 

The proof for part (b) is nearly identical to the proof for part (a); in fact, the former can 
be obtained from the latter by replacing every occurence of Permitted by -iPermitted 
and vice versa. I 

Lemma 4.5. There is an algorithm that, given a query q = (A,s, act,a,E) in Q\, deter- 
mines whether /\ agre Al a 9 r i ^ s satisfied in at least one E-relevant model in time 0(\E\ \A\ 8 ). 

Proof. We claim that /\ agre Al a 9 r i holds in an E-relevant model if and only if 

(i) the set of .E-relevant models is not empty, and 

(ii) for every pair of agreements 



agreement for prin u about a with ps, and 
agreement for prin' u about a' with ps' 



in A, either 

(a) a ^ a', or 

(b) for all actions act G S~ s , tuples (prq, I, prq' , id, act) £ and subjects s £ 
subjects (prin' u )\subjects(prin u ), \prq\ I s ,vrm ' u A \prq'~\\ ld ^' pnnu is not E-valid. 

For the "if" direction, observe that if (i) holds, then there is an E-relevant model M such 
that, for all closed terms t\, t2, and £3 of the appropriate sort, M satisfies ^Permitted(ii, t2,t%) 
if and only if there is an agreement agr of the form agreement for prin u about a with ps 
in A such that t\ subjects (prin u ), ps includes an exclusive policy set that mentions a 
policy of the form prq =4> t2, and £3 = a. It is not hard to see that, if (ii) holds, then 
M satisfies /\ agr <=Al a 9 r I an d we are done. For the "only if" direction, observe that, if 
(i) does not hold, then /\ agr€ Al a 9 r i clearly does not hold in an E-relevant model. If 
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(ii) does not hold, then there is a subject s, action act, and asset a, such that, for 
an agreement agr G A, \agr\ =4> Permitted(s, act, a) is invalid and, for an agreement 
agr' € A, \agr\ => ^Permitted(s, act, a) is E'-valid. Since no model can satisfy both 
Permitted(s, act, a) and -iPermitted(s, act, a), no E'-relevant model can satisfy both 
\agr\ and [agr'], so A a greAl a 5 r l does not no ^ m an y -^-relevant model. 

We can determine whether (i) holds in time 0{\E\), since (i) holds if and only if E 
is consistent. To check whether (ii) holds, we first construct the sets and S~ , which 
takes time 0(| A| ) ; then we compare all \A\ 2 pairs of agreements. For every agreement agr 
in every pair of agreements, we determine whether certain prerequisites hold; this takes 
time 0(\E\ \agrf), because there are at most \agr\ prerequisites per agreement agr and 
evaluating each requirement takes time 0(|-E| |agr| 5 ), as shown in the proof of Theorem 4.2. 
Since \ agr\ < \A\ for every agreement agr £ A, we get a total running time of 0(|-E| |^4| 8 )- I 
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